Exploit code for a vulnerability in Firefox was posted online on Monday. Mozilla says it is working on a fix.
US-CERT on Tuesday聽warned聽about聽vulnerability聽in the new聽Firefox聽3.5 browser that could allow a remote attacker to聽execute聽malicious code.Proof-of-concept exploit code聽was posted Monday on Milw0rm.com, an exploit code aggregation site, so it’s likely that the vulnerability is being actively exploited.
Mitch Wagner gives us a first look at Firefox 3.5, inlcuding some of its new user interface features, privacy mode, its geolocation capability, and its new embedded video and audio functionality using HTML 5.
The vulnerability, discovered by Simon Berry-Byrne, is related to the way Firefox 3.5 processes聽JavaScript聽code.Mozilla聽has acknowledged the vulnerability and has a fix that’s being tested. “The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious聽Web page聽containing the exploit code,”the company said聽on its security blog. “The vulnerability can be mitigated by disabling the JIT in the JavaScript engine.
To do this:
1) Enter聽about:config in the browser’s location bar.
2) Type聽jit in the Filter box at the top of the config editor.
3) Double-click the line containing聽javascript.options.jit.contentsetting the value to false.
As an alternative, the聽NoScript plug-in, which disables all JavaScript in the browser, should also offer protection.
Secunia, a聽computer聽security company based in Denmark,聽rates the vulnerability “highly critical”聽and notes that older versions of Firefox may be affected as well.
F-Secure, a computer security company based in Finland,聽said聽in ablog聽post that its聽Exploit聽Shield security聽software聽blocks the exploit.
In an interview on Monday about聽a bug in Google’s Chrome browser, Robert “RSnake” Hansen, CEO of聽SecTheory, a computer security consulting firm, criticized Firefox’s security process as being less rigorous than Microsoft’s. “For the most part, it’s just a bunch of random dudes who are contributing to it,” he said.
Nevertheless, Hansen said that Firefox, rather than Internet Explorer, was his browser of choice because it was better for hacking.
Johnathan Nightingale, whose business card says “human shield” — he manages the front-end team for Firefox and security issues — says he’s proud of the work Mozilla does and that he can’t compare Mozilla’s efforts to Microsoft’s because Microsoft’s security process isn’t open.
He notes that Mozilla devotes significant resources to security and that the company’s security team has been growing. He welcomes those who want to contribute to Mozilla to make it more secure.
Popularity: 4% [?]
Related posts:
